- e2e: switch schema reset + sanity check from psql (not installed in
act_runner's catthehacker/ubuntu image) to `prisma db execute --stdin`
which is already a dev dep.
- docker-deploy: after `db push` the schema matches schema.prisma but
_prisma_migrations is empty, so the follow-up `migrate deploy` fails
with P3005. Baseline each migration directory as applied via
`prisma migrate resolve --applied` before deploy; the migrations
themselves are idempotent supplements, so marking-as-applied is safe.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- e2e: use prisma db push --force-reset so the job starts from a
guaranteed clean schema (previous runs hit missing audit_logs
even though push reported in-sync; suspected stale service volume).
- docker-deploy: run prisma db push before db:migrate:deploy in
app-dev-start.sh. The migrations/*.sql files are idempotent
supplements (IF NOT EXISTS guards) that assume base tables already
exist; a fresh container has no tables, so the first incremental
migration's FK on "users" fails. db push creates the baseline,
migrate deploy then layers on the incremental additions.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bind mount (.:/app) provides workspace-level node_modules symlinks
from the host, but those target the root node_modules/.pnpm store which
inside the container is a named volume with different content-addressable
hashes. Added `pnpm install --frozen-lockfile` to app-dev-start.sh so
symlinks are regenerated against the container's store on every boot.
Also adds restart.sh convenience script for image rebuilds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Installs postgresql-client in the dev image so pg_isready is available.
The startup script now polls until postgres accepts connections, preventing
the P1001 "can't reach database" crash when the app container starts before
postgres is fully ready.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
#19 MFA QR code: render locally via qrcode package, remove external qrserver.com request
#20 Webhook SSRF: add ssrf-guard.ts with DNS-verified IP blocklist; enforce on create/update/test/dispatch
#21 /api/perf: fail-closed when CRON_SECRET missing; remove query-string token auth
#22 CSP: remove unsafe-eval and unsafe-inline from script-src in production builds
#23 Active session registry: forward jti into session object; validate against ActiveSession on every tRPC request
#24 Docker: add missing packages/application to Dockerfile.dev; fix pnpm-lock.yaml glob;
run db:migrate:deploy on container start so a fresh checkout boots without manual steps
Also: fix pre-existing TS error in e2e/allocations.spec.ts (args.length literal type overlap)
Co-Authored-By: claude-flow <ruv@ruv.net>
Hartmut